This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 78%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
New to Azure, and have made the classic rookie error of locking myself out.
I created an AD, it has myself as owner/admin/member, and 2 external guest users that I invited.
I was testing setting up cross-tenant access, I've added 2 organisations, one inherits from default and one is set to allow for all, and changed the default settings to blocked for all.
Now I can't access my tenant. I get "Access is blocked by the organisation" even when using my admin account when I try to switch to that tenant.
If I try use my admin account to log in to a registered app I get: Message: AADSTS500213: The resource tenant's cross-tenant access policy does not allow this user to access this tenant.
I don't understand why my admin user is being blocked by the cross-tenant policy?
I can't even delete the tenant to start over because I don't have access!
I can't find any support contact details. The 'help and support' button in azure just takes me back to the AD home screen - presumably I'd have to pay for some kind of support package.
Does anyone have any bright ideas how to get back in, or at least delete the broken directory?
Otherwise how to contact someone at MS who can help me?
Oh, despite being a member of the AD and the global administrator, the owner is still an EXTERNAL user?
And since the other 2 users are invited guests and thus also external, there are NO internal users in this AD. And I've changed default external access to 'blocked'...
How can I recover?
I have 1 cross-tenant organisation that is set to 'allow'. That organisation has the same global admin user, and a single internal user with default rights. The global admin account doesn't seem to work via the cross-tenant permission (can I force that somehow? I can't remove myself from the blocked AD, I don't have permission), and the internal user doesn't seem to even be able to see the blocked AD.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
@Richard ,
I am trying to check internally on how best we can recover the access in this case and I will update you with any info that I find.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 50%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKR%3C/text%3E%3C/svg%3E)
any solution for this problem? i ran in the same issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 2%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E9%3C/text%3E%3C/svg%3E)
Ran into the same issue, any solutions yet?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 24%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELS%3C/text%3E%3C/svg%3E)
any solution for this problem? i ran in the same issue. X2
can you describe the exact steps you took that locked you out? Curious how this happened.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 4%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKR%3C/text%3E%3C/svg%3E)
login to microsoft admin center (admin.microsoft.com) with your global admin account. there you can change the settings back.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 52%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
@Kay Ritzmann apologies for asking, but can you elaborate as to where within Admin you go to check for OR retract the settings, as we have a very similar issue, and all user are locked out of B2C tenancy. Thanks in advance.
using for login the user principle name... maybe it also works in azure portal